GHSA-8X35-HPH8-37HQ
Vulnerability from github – Published: 2026-04-24 20:45 – Updated: 2026-05-08 02:02Impact
What kind of vulnerability is it? Who is impacted?
Command Injection vulnerabilities in electerm:
A command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation.
Who is impacted: Users who run npm install -g electerm in Linux. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.
Patches
Has the problem been patched? What versions should users upgrade to?
Fixed in 59708b38c8a52f5db59d7d4eff98e31d573128ee, user no need to upgrade, the new version already published in npm
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
no
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electerm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41501"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T20:45:13Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n**Command Injection vulnerabilities in electerm:**\n\nA command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:130`. The `runLinux()` function appends attacker-controlled remote version strings directly into an `exec(\"rm -rf ...\")` command without validation.\n\n**Who is impacted:** Users who run `npm install -g electerm` in Linux. An attacker who can control the remote release metadata (version string or release name) served by the project\u0027s update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.\n\n---\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nFixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm\n\n---\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nno",
"id": "GHSA-8x35-hph8-37hq",
"modified": "2026-05-08T02:02:22Z",
"published": "2026-04-24T20:45:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electerm/electerm/security/advisories/GHSA-8x35-hph8-37hq"
},
{
"type": "WEB",
"url": "https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/electerm/electerm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "electerm has Command Injection via runLinux funtion"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.